Building Your Public Key Infrastructure

The Windows 2000 PKI provides a framework of services, technology, and protocols based on standards that enable you to deploy and manage a strong information security system using public key technology. Windows 2000 supports a variety of public key security features required by distributed security services. For example, Windows 2000 supports public key cryptography operations required for EFS without the need to deploy additional infrastructure or CAs.

However, many security solutions (such as secure e-mail, smart card authentication, and secure Web communications) require that you design, test, and deploy additional components of the PKI, including CAs, certificate enrollment, and renewal to support these types of applications. You might also want to deploy certificate services to support EFS users and multiple recovery agents or IPSec authentication for clients not running Kerberos authentication or not able to use Kerberos authentication for establishing trust relationships (across untrusted Windows 2000 domains or with a computer that is not a member of a Window 2000 domain). Furthermore, to meet special requirements for your organization, you might want to develop and deploy custom applications and certificate services.

Figure 12.1 shows a basic process that you can use to design, test, and deploy a PKI in your organization.

You can design and deploy your PKI using Microsoft Certificate Services. You can also use Windows 2000–compliant third-party CAs to build part or all of your PKI. The basic process for building your PKI is the same whichever certificate services you use. However, the actual implementation details for building your PKI will differ depending on the specific certificate services technology. For more information about the components and features of the Windows 2000 public key infrastructure, see "Choosing Security Solutions That Use Public Key Technology" in
The MicrosoftWindows2000 Server Resource Kit Distributed Systems Guide
. For more information about the components and features of third-party certificate services, contact the appropriate vendor for the certificate service.